I think the description of --limit 1/s option for iptables is wrong. According to my reading of man iptables it should mean that only one SYN packet is accepted each second regardless of its source? Mentioned paragraph: This is where the rate limit becomes handy. It is possible to limit the number of SYN packets from a single source but using the <c>-m limit --limit 1/s</c>. This will limit the SYN packets to one per source and therefor restricting the SYN flood on our resources.
Created attachment 18089 [details, diff] Fix Possible fix.
You're right. The whole idea behind rate-limiting to fight off SYN-floods is to restrict the amount of SYN-packets in general, not sourcebased. Fix approved :)
committed. Thanks again!